Merge "Ceph-RGW: Support rotation of s3 key pairs"

2019-02-07 20:32:26 +00:00 · 2019-02-07 20:32:26 +00:00 · 045e64067b
commit 045e64067b
parent b4ec10151c cf0ed142f6
5 changed files with 47 additions and 49 deletions
--- a/ceph-rgw/templates/bin/rgw/_rgw-s3-admin.sh.tpl
+++ b/ceph-rgw/templates/bin/rgw/_rgw-s3-admin.sh.tpl
@ -1,38 +0,0 @@
-#!/bin/bash
-
-{{/*
-Copyright 2018 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-set -ex
-
-function create_admin_user () {
-  radosgw-admin user create \
-    --uid=${S3_ADMIN_USERNAME} \
-    --display-name=${S3_ADMIN_USERNAME}
-
-  radosgw-admin caps add \
-      --uid=${S3_ADMIN_USERNAME} \
-      --caps={{ .Values.conf.rgw_s3.admin_caps | quote }}
-
-  radosgw-admin key create \
-    --uid=${S3_ADMIN_USERNAME} \
-    --key-type=s3 \
-    --access-key ${S3_ADMIN_ACCESS_KEY} \
-    --secret-key ${S3_ADMIN_SECRET_KEY}
-}
-
-radosgw-admin user stats --uid=${S3_ADMIN_USERNAME} || \
-  create_admin_user
--- a/ceph-rgw/templates/configmap-bin.yaml
+++ b/ceph-rgw/templates/configmap-bin.yaml
@ -39,7 +39,7 @@ data:
  ceph-admin-keyring.sh: |
 {{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  rgw-s3-admin.sh: |
-{{ tuple "bin/rgw/_rgw-s3-admin.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- include "helm-toolkit.scripts.create_s3_user" . | indent 4 }}
  helm-tests.sh: |
 {{ tuple "bin/_helm-tests.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 {{- end }}
--- a/ceph-rgw/templates/job-s3-admin.yaml
+++ b/ceph-rgw/templates/job-s3-admin.yaml
@ -92,17 +92,17 @@ spec:
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.rgw_s3_admin | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          env:
-            - name: S3_ADMIN_USERNAME
+            - name: S3_USERNAME
              valueFrom:
                secretKeyRef:
                  name: {{ $s3AdminSecret }}
                  key: S3_ADMIN_USERNAME
-            - name: S3_ADMIN_ACCESS_KEY
+            - name: S3_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ $s3AdminSecret }}
                  key: S3_ADMIN_ACCESS_KEY
-            - name: S3_ADMIN_SECRET_KEY
+            - name: S3_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ $s3AdminSecret }}
--- a/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
+++ b/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@ -22,15 +22,51 @@ set -ex
 function create_s3_user () {
  radosgw-admin user create \
    --uid=${S3_USERNAME} \
-    --display-name=${S3_USERNAME}
-
-  radosgw-admin key create \
-    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
    --key-type=s3 \
    --access-key ${S3_ACCESS_KEY} \
    --secret-key ${S3_SECRET_KEY}
 }

-radosgw-admin user stats --uid=${S3_USERNAME} || \
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
  create_s3_user
+else
+  update_s3_user
+fi
+
 {{- end }}
--- a/tools/deployment/armada/manifests/armada-lma.yaml
+++ b/tools/deployment/armada/manifests/armada-lma.yaml
@ -123,10 +123,10 @@ data:
      delete:
        - type: job
          labels:
-            release_group: osh-infra-radosgw-osh-infra
+            release_group: osh-infra-osh-infra-radosgw
        - type: pod
          labels:
-            release_group: osh-infra-radosgw-osh-infra
+            release_group: osh-infra-osh-infra-radosgw
            component: test
  values:
    release_uuid: ${RELEASE_UUID}